OIDC not working after app migration to another Cloudron & IPv6 error

nebulon

Maybe there is a package bug in updating the client id/secret in the config file. Can you verify that those match the values from the env variables in the webterminal in the app? You can run env command to see all variables. The ones in question are https://docs.cloudron.io/packaging/addons/#oidc

humpty

I don't see any OIDC references when running env in the webterminal in the Matrix app. Here's a screenshot without exposing any private stuff so you can see what lines are in there. Please let me know if you need me to email this instead.

humpty

CR turn secret = matches
SMTP pass = matches
CR Postgre DB = matches
CR Postgre Pass= matches

The entire OIDC Providers info in homeserver.yaml aren't referenced in the result of env so there's nothing to check against.

homesever.yaml is 100 lines total if that helps.

humpty

I installed matrix/element on another domain on my other Cloudron and compared the homeserver.yaml files. There's some differences with the code formatting like one has " the other doesn't, some lines have [ ... I fixed up my existing install to match the formatting of the test app but that didn't help. The only difference now is the following:

#This is on the broken matrix homeserver.yaml
localdb_enabled: true 

#This is on the new test matrix homeserver.yaml
localdb_enabled: false
pepper: xxxxxx (random characters)

Could this be caused by the IPv6 error I get when checking via the Matrix Federation checker website?

Connection Errors
Get "https://[2500:7600:FJ00:22:1000:e5ff:gh33:2355]:443/_matrix/key/v2/server": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

nebulon

If you don't see those env variables, are you sure you installed the app with Cloudron usermanagement even?

humpty

This is an old install that I migrated. The users are my Cloudron users from the previous CR, so the answer is yes?

I kept the same usernames on the new CR and migrated the app only - not the entire Cloudron if that makes a difference.

The mobile and desktop clients continue to work as usual. I didn't have to do anything like logout and back in. Now, I'm thinking that if I do log out, I might run into issues getting back in. I'll try logging in on a new desktop app when I get home to see if it works.

BTW, I set up the admin synapse from github (done it before) and I couldn't log in into that either. "e is not defined" or something like that.

nebulon

if you miss the OIDC related env variables, then most likely Cloudron user management is not enabled. You can check this in the app configuration view in the access control tab.

Is it possible that you have enabled openid manually using a custom open id client setting instead of the Cloudron user integration? If so that would at least explain the wrong client id

humpty

@nebulon if I did, it's definitely not intentional - I'm not a fan of OIDC tbh.

nebulon

So that is the root cause then. Since you migrated the app, the new Cloudron does not have the OIDC client credentials which the other Cloudron has. You have to recreate this and configure the app accordingly.

humpty

I'm not sure how to do any of that but I'll worry about this later as I received a reply from Hetzner support about my VPS (SMTP issue) and you won't believe what they said.

james

@humptydumpty said in OIDC not working after app migration to another Cloudron & IPv6 error:

you won't believe what they said

On that cliffhanger, can this topic be marked as solved or is this still technically open?

humpty

@james I never got OIDC "fixed". I was able to log in again simply by resetting the password. I haven't tried adding new users since the migration because only my immediate family and myself use the app. Feel free to mark it as solved. Thank you.